Posted
by
Soulskill
on Sunday April 25, 2010 @12:22PM
from the army-of-pokes dept.

Sir Codelot writes "A hacker who calls himself Kirllos has obtained and is now offering to sell 1.5 million Facebook IDs at astonishingly low prices — $25 per 1,000 IDs for users with fewer than 10 friends and $45 per 1,000 IDs for users with more than 10 friends. Looking at the numbers, Kirllos has stolen the IDs of one out of every 300 Facebook users. Quoting: 'VeriSign director of cyber intelligence Rick Howard told the New York Times that it appeared close to 700,000 had already been sold. Kirllos would have earned at least $25,000 from the scam. Howard told the newspaper that it was not apparent whether the accounts and passwords were legitimate, but a Russian underground hacking magazine reported it had tested some of Kirllos' previous samples and managed to get into people's accounts.'"

Actually... what this means is that you should change your banking passwords. It appears that what they are trying to do is use Facebook login credentials to go and see if there are any associated bank accounts with the same login information.

Meh. I maintain separate passwords for my bank, paypal, and a select few other sites. All others gets a default password. If someone hacks my Slashdot account, I'll create a new one. Not a huge deal. Really, the ideal is just for everyone to move to OpenID.

If you're too lazy to actually come up with unique passwords for each site and you happen to have OpenSSL installed (who doesn't?), you can automatically figure out all your passwords only having to remember one.

Come up with a base password, for the sake of argument let's say ABCDEF. For each site, append the name of the site to your base password. E.g., for Slashdot, it's ABCDEFslashdot. "echo ABCDEFslashdot | openssl sha1" yields your password of 040b6c2fb4d5858ad21810deb8e9ee2eb804e2a7. From that password it is intractable to determine what your base password was and hence what your other passwords are.

Actually... what this means is that you should change your banking passwords.

Do any banks actually use ordinary password authentication? My bank has provided me with a Digipass, a small device with a numeric keypad, where I enter my PIN, select an authentication mode, input a challenge (a couple of randomly generated bank-provided numbers) and when confirming transfer orders, an amount. The device then displays a string of digits, which I enter into the bank login page. Using ordinary passwords seem pretty insecure in comparison.

Honestly, E*Trade is pretty much the only one I can think of off the top of my head that uses something like that. Pretty much every bank in the country just uses simple passwords with verification questions. And an astonishing number don't bother to make their home page load via SSl.

The main reason being that they aren't generally held accountable for breaches that may occur due to their own lax security measures. In relative recent history it was still relatively common for ID thieves to be able to get

Corporations are under a legal and I would argue a moral obligation to optimize their owners return on investment.

Sure, but that does not preclude the fact that (in my opinion at least) banks are also under the moral obligation to keep their customers' money safe from unauthorized access. Customers have deposited their money in the bank because they trust that the bank will give them back (with interest) when they want them.

I don't see it as unreasonable that the government holds them to this moral responsibility, e.g. by declaring minimum security standards required. After all, the government decides who can be a bank

Here in Finland, banks usually provide you with a list of ~50-100 one-time use codes, so it's basically impossible to figure out the next code unless you manage to find some pattern in the random digit generator that the banks use to generate those one-time codes. To me this seems even more secure than using those keypads that most other european countries seem to be using. The only way I can concieve this to be hacked is to figure out what someone's userid is (random generated string, i.e. basically a trad

the only way I can conceive this to be hacked...
Always a dangerous statement - just because you can't think of an attack doesn't mean there isn't one.

You are correct that no one is going to guess the next one-time password. Instead, they are going to attack your machine, and piggyback on your session after you have logged in. This is happening in the wild today, although it's mostly aimed at larger commercial accounts.

Those keypads are more secure because they can be used to enter unique data for

Some New Zealand guy found his account on a list that was published earlier by the hacker, sure he may be complicit in the fraud, but then that wouldn't explain why the Russian hacker magazine didn't notice anything special about those accounts, such as a lack of messages. Also I would assume that FB has some mechanisms in place for preventing one IP to be used for signing up several hundred times, so he would have to use stuff like a bot net, and a captcha breaker anyway. So creating 1.5M fake accounts wo

Looking at the numbers, Kirllos has stolen the IDs of one out of every 300 Facebook users.

Translation: it might not be a bad time to change your password if you use Facebook.

If Facebook was concerned about the safety of their users, why not just go UPDATE users SET must_reset_password = 1; Throw a reCaptcha onto the reset page, too, so the "hacker" can't automate that process.

Of course there's a fatal flaw in my plan. "If Facebook was concerned about the safety of their users..."

>Translation: it might not be a bad time to change your password if you use Facebook.

According to the article, the passwords are gleaned from malware installed on the user's machine. So even if you change your password, what is to prevent the same malware from sending the new password to this hacker guy and allowing him to resend the changed account info to his buyers?

Am I safe? I have a six-character, alphanumeric password on facebook. But it's also my weakest password. I chose that one specifically because I don't trust FB, and didn't want to compromise my other passwords. Did they dictionary/brute force it, or did they get the passwds some other way?

I'm suprised they are not worth more since they represent a great point of entry for social attacks. Think Personalized spam (i.e. "Hey John, I think Laura wanted you to buy this for the concert you are attending next week"), targeted dictionaries, localized phising (i.e. location data deploys phising to compromised machines near you). Once you break a single friend in the "network" you gain additional information to everyone in that scope, so the return on entry is very promosing. An attacker can begin profiling ideal targets in the guise of friends. Ah, so many possibilties. Such a gold mine.

The wonderful thing about his product though, is that he can keep selling it even after he has sold it.

He doesn't have 1.5 million accounts to sell once, he has 1.5 million accounts to sell over and over and over. He may only be able to get $50k for the lot, but he can sell them all a dozen times. Depending on if they catch him or not, and how effective they are at getting people to change their passwords (the only way to make the accounts worthless), this guy could make half a million dollars or more pretty easily.

The wonderful thing about his product though, is that he can keep selling it even after he has sold it.

He doesn't have 1.5 million accounts to sell once, he has 1.5 million accounts to sell over and over and over. He may only be able to get $50k for the lot, but he can sell them all a dozen times. Depending on if they catch him or not, and how effective they are at getting people to change their passwords (the only way to make the accounts worthless), this guy could make half a million dollars or more pretty easily.

Not if I'm the first to buy them and change the passwords on the accounts....

Yes, but that would make the accounts worthless pretty quickly. The "value" of the account is that both the buyer and the actual account owner know the password. So it looks like a completely legitimate thing when the buyer (pretending to be the actual account owner) sends messages to the account owners "friends" asking them to go to certain sites, run certain "cool" programs, etc. The value goes down pretty quickly if the original owner is locked out by a password change and tells all their "friends" that

He may only be able to get $50k for the lot, but he can sell them all a dozen times.

Are you impugning the dignity of this entreprenuer? A man's word is his bond, and the most valuable asset he possesses. I'd be surprised if he isn't contacting legal counsel to initiate legal action against you for defamation of character as we speak!

Don't forget the value of all the answers for to factor authentication as well. Lots of banking sites and stuff will after you enter your password/username pair correctly also ask you something like, what is your mothers maiden name, or What is your favorite kind of car, or what elementary school did you attend, etc etc. All things that someone with access to your facebook account might have a very good shot at knowing.

Right and decent banking sites don't use those for password recovery questions. They use them for an additional check each time you logon; they usually have you answer a number of questions when you setup your online access and challenge you with one in a semi-random fashion using a window of time as the seed so an attacker can't just try again in hopes of getting a question he can answer right away; he will have to wait an hour or something.

According to the Facebook statistics page the average account has 130 friends. If 1 in 300 accounts are compromised and you have circa 130 friends then the odds are quite high that the personal data you have "only available to friends" is going to become available to some fairly unfriendly people shortly.

Reminds me of the evertrue saying 'play with fire and you'll get burnt'. I have always been mindful of the threat FB poses to my privacy and have completely closed down my account several times, but keep giving in and going back due to peer pressure from family & friends. This time I'm killing it off for sure. No organization, be it governmental or corporate should have control over so much of an individuals personal data.

No one forces you to fill in all the information. Just have a page with your name on it if friends and family want you to have one. Just leave blank all the other sections. Then you have no problems with your personal information.

No one forces you to fill in all the information. Just have a page with your name on it if friends and family want you to have one. Just leave blank all the other sections. Then you have no problems with your personal information.

Wrong! This is one of the biggest misconceptions people have. The true value isn't one's profile per se, but who one's "friends" are and the various interactions between them.

Unless your friends are all strangers who know little about you, your personal information is likely more exposed on Facebook than you realize. Often I see instances of a parent, sibling, in-laws, significant other, etc post personal details on one's Facebook wall, gallery, etc that are often visible to others on one's friend list, and even often to friends of friends too.

And that's not even getting into the issue of rogue friends, which can easily sneak in to gather information; among the value of stealing FB IDs... it's not always about getting passwords, but rather collecting data for other uses, such as, spear-phishing / more targeted attacks - learning one's security questions they have setup on say a banking site.

Your friends aren't going to be putting where you live, where you work, your phone number, or any of that other crap on their page. And even if they are, you just tell them,
don't put my personal information on there". If they don't respect your wish, de-friend them. You are throwing the baby out with the bathwater if you simply cancel your whole account.

I removed my personal information by just changing it to random cities, phone number of a business in that random city (address too). I was one of those who had some level of "real" info there in the past that was locked down to be visible by certain users only. However, with all the "privacy" changes (read turning off privacy) that FB has been making lately I went and changed the info to false info. I'd imagine some cache somewhere will still have the real stuff for awhile, but that it will become harder a

You mention closing down your FB account permanently. If so, be sure you delete everything out of it, including unfriending everyone, all public / private messages, gallery pictures, etc. If you've recently closed your account, just log back in and reactivate it (may be occur automatically), delete everything, and then delete the account again. And to ensure your FB account remains deleted, do not try logging into it for a month (FB says wait two weeks, but don't trust

According to the Facebook statistics page the average account has 130 friends. If 1 in 300 accounts are compromised and you have circa 130 friends then the odds are quite high that the personal data you have "only available to friends" is going to become available to some fairly unfriendly people shortly.

Of course, the way facebook itself is headed odds are high that "only available to friends" data is already going to be available to everybody shortly. At least that's what facebook's retroactive TOS chan

According to the Facebook statistics page the average account has 130 friends. If 1 in 300 accounts are compromised and you have circa 130 friends then the odds are quite high that the personal data you have "only available to friends" is going to become available to some fairly unfriendly people shortly.

Does anyone out there actually give complete and correct information to Facebook? I work with university students, and it's scary how much "private" information they put out there, just because there's a box for it on a FB web form. I'm an 83-year-old grandmother, at least as far as FB's data collection goes. A bunch of other [optional] stuff was left blank.

Although it is interesting that that 83-year-old went to the same high school and university that I did....

...and yet, time after time, FB users ignored the abuse and kept on using the service. I really have little sympathy for such blatant and above all, stubborn disrespect for one's own security. And for what? To have "virtual friends"? To "keep in touch"? Both friends, conversing and socializing are more fulfilling when done in some of the more traditional ways.

what do you care about your security if all you do is post crap?
i care about my security for personal things. but those don't happen on facebook, where community things happen. and i don't care about privacy, there, at all. why should i?

You know, I really despise these "High and mighty" posts about how all FB users are irresponsible idiots. There are a number of great uses for Facebook, and many of us actually PREFER to be contacted via facebook by our friends, rather than the endless deluge of phone calls and text messages. If you're having a get-together, I'd much rather you invite me on FB than tell me in person, because chances are, I'm going to forget. And I don't really see the point of the privacy crap either. I only put information on a social site that I'm comfortable sharing socially. I don't get it.

Why FB has to be a replacement of real social life interaction? Oh, you mean, the day you sign up for FB, you will physically be unable to engage in any real social behavior?

I am on FB - but that's just so that I don't have to remember who is married to whom and all that. In fact, if you want, you can engage in more real social life with help of FB or any similar sites. One example - It's common to see Flickr users to arrange meet-ups.

Living in my IT bubble in San Diego it was easier for me to bag on Facebook and 'look down' on it's users but now that I'm unemployed and living temporarily with family I seen how useful it is for them to keep in touch with friends and relatives in a way that letters or email simply can't emulate.

Besides, if we really thought Facebook was that bad instead of bitching about it we'd be the talent pool responsible for creating a better alternative (unless you believe that only venture-funded MBAs can take on such a technological challenge). For instance, I've never liked any of the popular/available dating sites, so what do you think I'm doing while I learn Mongodb in my free time?

Both friends, conversing and socializing are more fulfilling when done in some of the more traditional ways.

Like what? Email, so my messages can get lost in the sea of spam? Phoning, during the roughly 1 hour each day when both I and my overseas friends are awake and at home, and they're exhausted after a long day and I'm rushing to get off to work? Maybe I should just hop on a plane every weekend to meet people face to face -- I'm sure that would be a fulfilling use of my time and money!

Sorry, but services like Facebook fill an important gap that nothing else really caters for. If you don't like it, think of something better, but don't go round bashing it just because you personally have never moved out of your home town or made any friends who lived more than a street away.

I have a FB account. I have reestablished contact with old friends and very distant family members I didn't otherwise have contact with. The alternative to finding someone you have lost contact with (if your other close family and friends don't know where someone is or how to contact them) is by searching Google and hoping you find a reasonable match. Even then most sites that find a person for you want an idiotic amount of money and a buy in to their scam service to get the contact info. Then there isn't a guarantee that it is the right person or the contact info is still relevant.

People do use FB for more than asking someone to fertilize their crops or signing some mob-mentality world solving petition. It's possible to use social networking in a responsible manner. Facebook does seem to have a blatant disregard for their users and it's possible that a better service will come along and people will move to it. Another point condescending pedants might be missing is the exposure of security and privacy risks can help to educate people who might not otherwise even know about them. That is, just because people aren't using social networking doesn't make them any more safe on the internet. There were plenty of online scams and security risks before social networking; at least now people can communicate the nature of them and educate users how to safeguard themselves. One of the first things I did after seeing that CBS news story is post it on FB so that people could change their FB and email password info.

It's much bigger than spam. Thousands upon thousands of other websites will let you log in by using only your facebook credentials. It takes two clicks (easily automated). If you don't already have an account, it typically just creates one for you.

Now think about what those other websites might be.Now think about what those websites do with information in order to sell you things.Now think about what kind of information people would put on those other websites, knowing that "only facebook" has weird privacy

I only need to keep track of a few passwords. The rest of them are stored in Firefox or PasswordSafe [sourceforge.net]. I put everything in PasswordSafe, and I also let Firefox remember the less important ones. All I have to remember is my logon password, my Firefox master password, and my PasswordSafe password.

They're probably just the type of fake accounts I've seen before attempting to friend random people. Most of them probably are female, with pretty photos lifted from the internet. The tipping point for price belies their nature: under or over ten? Real accounts usually have at least over fifty, if not hundreds of friends. That said, this still is a big security issue given the amount of data people's friends can get on their profile, and the proclivity for the younger kids to add anyone who friends the

facebook today told me: "your account was accessed from an unusual place and has been blocked." then i had to do all sorts of things to prove i'm human and it told me to create a new password. i created such a strong password that i have forgotten it. now will have to change it again.

...probably some people "deserve" the trouble they attract when using computers. Using an easy login/password combination is something it's not my problem. Maybe illiterate people have this problem, but then "what did they expect" of computers and internet usage? They pretend it to be like turning on a bulb. It works, it doesn't work. I would sincerely propose something like "computer usage credentials certificate". Someone is ALWAYS pretending "using computers is something anyone can do" (ha!)

Probably because unlike in the US, Russia seems to turn a completely blind eye to cyber criminals. Granted we don't do such a good job ourselves, but we do look for them and prosecute them when found. It's rich that a country with a very serious problem with organized crime would even pretend like there's no justification for pointing a finger back at the lack of enforcement.

To wit, cybercrimes cause precisely as much harm as your bank/government in your country wants them to cause. It's like spam: you could pretend that you can shut down all spammers across the world at source, or you could deploy education and effective antispam solutions to protect potential victims.

No it isn't - it's just that the bank from which physical cash is withdrawn should end up with a net loss. Same thing would happen if I, as an Interweb merchant, sold goods to someone who had used a stolen CC - the $ would be deducted from my account and I'd have just given away free goods.

Cybercrime affecting some guy across the world and/or his local bank then becomes real theft by a Russian resident from a bank in Russia. Watch the Russian government suddenly take notice.

You really think the Russian government turns a blind eye to cyber criminals? That doesn't seem right to me... if the officials aren't on the lookout for criminals, then how will they know who to blackmail for bribes?